The law requires employers to keep HR records on their staff. These records will include personal information, payroll data, among other things.
UK legislation requires employers to hold on to this information. But GDPR makes keeping employee files complicated and holding records for longer than there is a business use can result in considerable fines.
So how long do employers have to keep employee records after termination? In this article we’ll cover record retention, employee files and data protection rules.
How long to keep personnel files in the UK?
Legislation sets out the length of time to keep employee records. The government calls this a statutory retention period.
The statutory retention periods for documents in the UK differ depending on the type of record.
If you don’t know how long to keep training records, you might think that they have little use after an employee leaves your company. These records can be helpful in court cases.
For example, if an employee leaves your business and has an accident at their new job. A record of the training they’ve received can help the employee’s defence in a legal dispute.
However, many HR records contain sensitive information, such as employee’s personal details, and keeping documents for longer than they are useful can put those employees at risk.
Statutory HR data retention periods
There are different guidelines for how long to keep personnel files in the UK. The statutory period depends on the length of time that the records could be of use to the business or in legal proceedings.
For example, medical records relating to hazard materials need to be held for 40 years. This is because illnesses related to exposure can take a long time to develop.
The full list of statutory retention periods can be split into different categories.
Health & safety and training records
- Accident reports: 3 years from the date of the last entry.
- First aid and fire warden training: 6 years after employment.
- Health & safety representatives and employee’s training: 5 years after employment.
- Medical records and details of biological tests under the Control of Lead at Work Regulations: 40 years from the date of the last entry.
- Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH): 40 years from the date of the last entry.
- Medical records containing details of employees exposed to asbestos and medical examination certificates: 40 years from the date of the last entry for medical records. 4 years from the date of issue for medical examination certificates.
- Medical records under the Ionising Radiations Regulations 1999: At Least 50 years, or until the person reaches 75 years of age.
- Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH): 5 years from the date on which the tests were carried out.
- Accounting records: 3 years for private companies, 6 years for public limited companies.
- Income tax records and correspondence with HMRC: 3 years after the end of the financial year they relate to.
- National minimum wage records: 3 years after the end of the pay reference period following the one that the records cover. For example, the end of the month after an employee has left the company.
- Payroll data retention (including overtime, bonuses and expenses): 6 years from the end of the tax year to which they relate.
- Retirement Benefits Schemes and records relating to incapacity: 6 years from the end of the scheme year when the event took place.
- Statutory Maternity Pay records, including shared paternal, paternity and adoption pay records: 3 years after the end of the tax year in which the maternity period ends.
General employment records
- Working time records: 2 year from the date on which they were made.
- Subject access requests: 1 year after completion of the request.
- Records relating to children and young adults: Until they reach the age of 21.
- Whistleblowing documents: 6 months following the outcome. If unsubstantiated, personal data should be removed immediately.
The list of statutory retention periods doesn’t cover all types of documents you may have.
Other common types of HR documents you will need to consider are: CCTV footage, pension records and employee references.
It’s up to the employer to decide what is best for the other types of files. Though there isn’t a statutory limit, keeping accurate records can help in the event of a legal challenge.
As many legal proceedings have a six year time limit for making a case, it’s recommended that you set a personnel records retention period of six years for anything that might be relevant to a contractual claim.
Employee records and GDPR
When the government introduced GDPR in 2018, they implemented new rules regarding the retention of HR records.
The rules mean that employers can only hold personal data for as long as there is a business need, and give employees more rights regarding their data.
Those rights include:
- The right to be informed
- Rights of access
- The right to be forgotten
Law states you should make any previous employees aware of the information you hold on them, and can request to see this information.
Where they don’t think there is a reason for you to have the information, they can request you
One other key difference regarding retention of HR records under GDPR is the penalties you can face for not complying.
Since Brexit, the penalties differ slightly depending on whether the data refers to personal data for UK or EU residents.
The UK GDPR rules set a maximum fine of £17.5 million or 4% of annual global turnover - whichever is greater. EU GDPR rules are very similar but the maximum fine is €20 million (about £18 million) instead.